Comcast Becomes the First ISP To Join Mozilla's TRR Program (neowin.net) 85
Comcast has joined Cloudflare and NextDNS in partnering with Mozilla's Trusted Recursive Resolver program, which aims to make DNS more trusted and secure. Neowin reports: Commenting on the move, Firefox CTO Eric Rescorla, said: "Comcast has moved quickly to adopt DNS encryption technology and we're excited to have them join the TRR program. Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs."
With its TRR program, Mozilla said that encrypting DNS data with DoH is just the first step in securing DNS. It said that the second step requires companies handling the data to have appropriate rules in place for handling it. Mozilla believes these rules include limiting data collection and retention, ensuring transparency about any retained data, and limiting the use of the resolver to block access or modify content. Ars Technica notes that joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements.
When the change happens, it'll be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."
With its TRR program, Mozilla said that encrypting DNS data with DoH is just the first step in securing DNS. It said that the second step requires companies handling the data to have appropriate rules in place for handling it. Mozilla believes these rules include limiting data collection and retention, ensuring transparency about any retained data, and limiting the use of the resolver to block access or modify content. Ars Technica notes that joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements.
When the change happens, it'll be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."
Re: Ummm... (Score:1)
Not actually necessary, hurts us in the end (Score:5, Interesting)
I feel like it can't be overstated enough that these changes will be a significant burden on both users and companies. The web works well because DNS is extremely simple, flexible, decentralized, and fast. These solutions take away all of those properties and turn DNS into yet another slow, fragile, centralized monstrosity. They centralize control of the internet with a few key players and make it harder for people to control their own devices and networks. While at the same time, they add new technological requirements, which will be more costly, and also make old devices more obsolete.
And moreover, we don't actually need it. The web is already secure without DNS being secure. This isn't about security at all, it's about privacy: people are upset that companies are doing what every company has been doing for the past 40 years: building profiles about people in order to sell them more crap they don't need. So instead of ISPs being able to make money off of your data (and thus have more cash to make your service more affordable or stable), only Facebook, Google, Twitter, and other ad companies will be able to make money off of you.
Quite frankly, it's depressing that we're letting a few giant organizations take away our agency to use the internet freely. And it sucks that more stupid technology is being shoved down our throats that will have more bugs and require ever faster devices just to do something stupid like read a damn text file.
Re: (Score:3)
Not Invented Here syndrome. For some reason the current generation is under the impression that unless they invented something then it is bad. Things like grub and systemd are good examples of that. Needlessly complicated redesigns that do the same functionality.
Re: (Score:2)
... systemd ... do the same functionality.
You don't know what it does, so it must be the same as what grandpa had, right? You're a sharp one, there, Archie.
Re: (Score:2)
Please mod this parent up.
For me I like Google. They do a lot for me. So I use Gooles DNS [google.com].
Re: (Score:2)
The web is already secure without DNS being secure.
Cache Poisoning:
https://www.infoblox.com/dns-s... [infoblox.com]
Blocking Malicious Domains:
https://www.infoblox.com/dns-s... [infoblox.com]
Re: (Score:2)
For those who don't care to click on external links to see what Ostracus is wanting to say, it basically boils down to to this:
Dnssec (which has nothing to do with the article or what Firefox is doing) is used to counter what are commonly called "security issues" around dns. Dnssec is what protects you from spoofed dns records ending up in your cache and that kind of thing. It ensures that the answers you get are legitimate.
What Firefox is doing, dns over HTTPS, tries to provide *privacy* by encrypting the
Re: (Score:1)
They centralize control of the internet with a few key players and make it harder for people to control their own devices and networks
You now understand the purpose behind it. Mozilla is driven bonkers by the fact that they cannot police what their users read with their browsers. Extending their tentacles into DNS gives them a way to do that.
Re: (Score:3)
Are you high? This doesn't centralize anything. Comcast customers (well, those who don't have the knowledge or wherewithal to run their own caching nameservers) have always used Comcast's nameservers. This actually moves things back towards decentralization by getting all those Comcast/Firefox users off the AnyNet resolvers and back onto the Comcast resolvers which are actually topologically nearer on the network.
No one's taking away your "agency". Run your own nameserver if you like. They won't stop y
Re: (Score:2)
That comment was right over your head. You don't even realize that something was put in place which was intended to avoid ISP getting information an now we come back to giving this information to the ISP. What in your mind justifies this stupidity as being reasonable?
Re: (Score:2)
Oh... I see what the problem is now.
You know you're not supposed to use the computer by yourself. When your parents come back, try and remember to tell them "Privacy is an aspect of security".
Re: (Score:2)
I beg to differ. There is more to "being secure" than using HTTPS. I use Quad9 [quad9.net] because they do malicious domain filtering. I use them on my desktop (via dnscrypt-proxy [github.com]) and phone (via their Quad9 Connect app [google.com]), and it's important that I'm able to communicate my queries securely, since I'm expecting them to do malicious domain filtering.
In addition to wanting the lookups to be private (via dnscrypt relays), I don't wa
Re: (Score:2)
If you're so concerned, why aren't you advocating for secure, private solutions like DNSCrypt which support anonymous relays? DNSCrypt>DoH>DoT.
Re: (Score:3)
The web works well because DNS is extremely simple, flexible, decentralized, and fast. These solutions take away all of those properties and turn DNS into yet another slow, fragile, centralized monstrosity.
Do you even know what DN_S is?
At the moment 99.9% of users use a single DN_S server, most likely the default one provided by their ISP or employer. If there is a fallback server then 99.9% of the time it's on the same network and will go down at the same time as the primary. It's centralized and fragile. and quite slow too for multiple look-ups and there is no way for the server to assist with speculative look-ups either.
DN_S is also a privacy and censorship nightmare. Because it isn't encrypted even if you
Re: (Score:2)
The web works well because DNS is extremely simple, flexible, decentralized, and fast. These solutions take away all of those properties and turn DNS into yet another slow, fragile, centralized monstrosity.
Do you even know what DN_S is?
No, tell us, what is D N underscore S.
Re: (Score:2)
As I said it's because if you write DNS too many times in a post it triggers the lameness filter.
Re: (Score:2)
and turn DNS into yet another slow, fragile, centralized monstrosity
It does nothing of the sort. There are many legitimate complaints about DoH but slow, fragile and centralized seems to indicate more that you fundamentally don't have a clue about it and have some other agenda in mind. Especially since the entire rest of your post focuses about centralisation when the reality is there's about as much preventing you from running and configuring your own DOH server as there is preventing you setting up your own classic DNS server.
DoH is a protocol. Support for the protocol is
NEVER NEVER EVER (Score:1)
Never use an ISP's DNS. It might be a little slower not to, but the risk of DNS poisoning is too great with these greedy bastards. I've caught my own ISP doing this, LocalTel Fiber in Washington State.
Re: (Score:3)
Never use an ISP's DNS. It might be a little slower not to,
The fastest way is simply to run your own recursive caching DNS locally (bind/named) for free with a 32MB RAM footprint. Screw it, absolutely no external/provider/google DNS is needed to resolve your browser and other software DNS queries.
Re:NEVER NEVER EVER (Score:4, Insightful)
Re:NEVER NEVER EVER (Score:4, Informative)
I like the concept of DNSSEC-Trigger (https://nlnetlabs.nl/projects/dnssec-trigger/about/). It uses local recursive servers if they provide DNSSEC and falls back to doing its own validation if that is not available. I think this gives a good balance of trust and performance enabled by DNSSEC.
Re: (Score:2)
Are you just using the root servers as your actual DNS server?
That's exactly what a default install of bind/named does. It bootstraps with a hardcoded list of root servers. I think they don't implement this way of functioning directly in any other piece of software to avoid overloading the root servers. The fact remains, no middle-man is required to do a DNS lookup.
Re: (Score:2)
You can usually set the DNS gateway in the router.
Google's are 8.8.8.8 and 8.8.4.4 and you can use them as your DNS servers.
Re: (Score:2)
Not so sure my friend, root name servers use anycast IP so a machine at your provider may very well be a root server.
Here is basically how a recursive and caching name server works: .com name servers the servers for google.com
1) ask root name servers for top TLD name servers, example: com, net
2) cache for a very long time name servers for top TLD, example: com
NOTE: In fact, a recursive and caching DNS doesn't query the root DNSs often at all. Maybe a few times a day at most.
3) ask
4) cache name servers for
Re: (Score:2)
I don't know about you, but I appreciate malicious-domain filtering DNS providers like Quad9 [quad9.net], which supports DNSCrypt, DoH, and DoT, along with plain DNS.
Re: (Score:2)
Google is your friend, a locally hosted bind/named supports all you mentioned. In the end, there is still no need for middle man if it is what you wish.
Re: (Score:2)
A locally hosted named does not support blocking continuously updated threat-intelligence-provider malicious domain lists.
Re: (Score:2)
Again, Google is your friend: there is free available domain blacklists for this purpose available, just update the list a few times every day and reload bind/named.
Here is one:
http://www.malwaredomains.com/ [malwaredomains.com]
http://www.malwaredomains.com/... [malwaredomains.com]
Re: (Score:2)
Pretty much every online database of blacklists is considered obsolete. Blacklists are proprietary information.
Re: (Score:2)
Sure, it is well known fact here that proprietary is always best. /sarcasm
Re: (Score:2)
Also, just as an FYI, if you have your own recursive resolver, you have lowered privacy, because nameservers can track you much more easily by knowing your IP and also by looking at unexpected payloads embedded in hostnames (which Quad9 will also block). If you access Quad9 via a DNSCrypt anonymizing relay, your privacy is pretty much secure, from three things: 1) technically from the relay, 2) Quad9's privacy policy, and 3) Quad9's unexepected payload detection.
Comcast, Heck they can not even (Score:2)
Just my 2 cents
Still not sold on DoH (Score:5, Insightful)
I'm not sure I want one DNS source (using DoH) for my browser and another (using tradional DNS servers) for my OS and everything else. Makes me think of the old adage, "A person with one watch knows the time, a person with two is never sure."
Really not sure I want to trust Comcast (or any other ISP) to honor agreement(s) with Mozilla about end-user privacy.
Re: (Score:3)
nice
Re: (Score:3)
I don't like DoH either. However, you seem to be inadvertently advertising one of its benefits. Even if you do not use your ISPs DNS servers, DNS is not encrypted so your ISP can record all of your queries anyway. DoH set to the server of your choice stops your ISP from seeing all of the queries. I completely agree that there should be one resolver for the system or subnet/managed network. If that one resolver uses DoH, fine, but do not give individual applications the power to change unless it is a special
Re: (Score:2)
Some alternative router firmware offers that as an option.
Re: (Score:2)
DoH set to the server of your choice stops your ISP from seeing all of the queries.
How when the next step is you asking your ISP to connect you to that site? You want to hide from your ISP use a VPN.
What is really funny about your comment here you are posting on a discussion where ISP are starting to support DoH and now will be able to see the requests that the industry is trying to convince everyone to hide. The only thing that is changing is that life is becoming more complicated not more private
BTW DNS can be encrypted and you can bypass your ISP's DNS servers but privacy is not what D
Re: (Score:2)
Push everything through a VPN.
Re: (Score:2)
"A person with one watch knows the time, a person with two is never sure."
Voltaire — "Doubt is an uncomfortable condition, but certainty is a ridiculous one."
Me — "Every adage has an equal and opposite adage."
Re: (Score:1)
Makes me think of the old adage, "A person with one watch knows the time, a person with two is never sure."
More accurately stated: "A person with one watch believes they know the time, a person with two realizes that one or both are wrong."
Re: (Score:2)
Re: (Score:2)
Well luckily for you both Windows and Linux support DoH now so you can use the same privacy enhancing servers for both.
Re: (Score:2)
I'm not sure I want one DNS source (using DoH) for my browser and another (using tradional DNS servers) for my OS and everything else.
That's not, "not being sold on DoH", that's not being sold on application specific implementation. Build 19628 of Windows 10 already includes support for OS wide DoH, and Firefox has always had it as an optional feature.
So with that fundamental problem taken care of soon, what else are your complaints about the concept?
wtf (Score:2)
It's 2020 why isn't DNS encrypted? Why isn't EVERYTHING encrypted?
Re:wtf (Score:4, Insightful)
It's fine for DNS to be encrypted, but why does it have to be decrypted at the ISP instead of by the individual resolvers? The problem with DoH is that it puts the trust in the wrong location. If you were trying to hide activity from your ISP, I could understand having a trusted DoH resolver hide all that. But if it's your ISP, what is even the point?
Just put regular DNS behind TLS and call it a day.
Re: (Score:2)
DoT requires TCP, among other things. DNSCrypt is the way to go, with DoH in second place. DNSCrypt supports relays too. DNS over TLS has so many downsides vs DNSCrypt [dnscrypt.info], including requiring TCP, a dedicated port, and a huge TLS attack surface.
Re: (Score:2)
DNSCrypt doesn't solve any of the same problems if I'm reading correctly. The responses are not spoofable, but they're wide open for eavesdropping. That huge TLS attack surface only protects the content of the queries, but it's still more protected than signed plaintext.
And if you're going to encrypt the communication, the overhead of TCP isn't much worse. However, apparently DTLS is a thing (TLS encryption on UDP).
Re: (Score:2)
DNSCrypt fully encrypts the messages.
Re: (Score:2)
In that case, their own web site needs work. It only mentions cryptographic signatures for verification.
Re: (Score:2)
I can't argue with you there. I'll write to the page authors and see if they can mention the encryption on the front page at least.
Re: (Score:2)
I read about half that link until I got to the part where the moron who wrote it thinks the internet is like a truck, if he doesn't like your technology choices.
If you can't tell the difference between pros and cons and pejoratives, you shouldn't publish technicalish analysis.
Re: (Score:2)
Does anyone know how much of the DNS ecosystem supports DNS-over-TLS (https://tools.ietf.org/html/rfc7858)? Perhaps another reason to run Unbound and take matters into your own hands.
Comment removed (Score:3)
Re: (Score:2)
the whole reason for DoH was to stop this practice.
No, that is not the reason for DoH. The reason for DoH was to bypass ISP's and pass the monetizing to the giants. So now we have a dysfunctional network that will still harvest the data making it harder for people to hide. If you don't trust your ISP you use a VPN. DoH just fixed that for you, making your VPN useless by directing requests to larger parties making your life more complicated in protecting your privacy. Now a VPN is not enough you also need to modify the settings on every browser on your netwo
Re: (Score:2)
The question is how will Mozilla monitor Comcast for compliance?
Mozilla has some experience with this kind of thing because they do it for CAs. Presumably there will be a process they have devised with required documentation, and very strict definitions of what is allowed and what is not allowed.
Mozilla is officially evil (Score:3)
When Comcast approves.. (Score:2)
New jobs at Comcast! (Score:1)
In other news, Comcast is now hiring for
- people who understand how to implement TRR and DOH
- people who can spell either acronym
Also they're firing customer service people because COVID.
E
The more I think about this (Score:2)
Just my 2 cents
It's a bad sign when Comcast is eager to be first (Score:1)
How do I block DoH on my router? (Score:2)
How do I block DoH on my router?
There are blocklists that I don't want the kids to bypass just yet.
Re: (Score:2)
Re: (Score:2)
Is there a list?
Re: (Score:2)
There's a few ways, actually...
See also Configuring Networks to Disable DNS over HTTPSs [mozilla.org]
DoH = firewall backdoor + central point of failure (Score:4)
It's circumventing your own DNS,
by putting Mozilla in as the man in the middle to fail on us,
and they claim it is "secure".
More secure than an evil ISP? Maybe. Depends on how full of theirbown righteousness Mozilla is today.
But how full are they, if they believe they are more trustworthy to me than my own DNS server on my own box??
It's simple: A DNS server only takes a few megabytes of RAM and barely any notable CPU cycles for a single user.
Just put one in the OS, and let it do the resolving itself. With DNSSEC.
Done.
Any bigger problems with a MITM cannot be soved with DNS and require a VPN tunnel anyway.
But that would not be as "modern", aka fitting the mindset of the current generation of luddite-techies that we somehow let dominate things for no reason.
Re: (Score:2)
You know it asks you if you want to use their DNS server and you can click "no", right?
This is like wetting yourself over your ISP's DHCP server offering default DNS servers, "circumventing" your choice.
Re: (Score:2)
by putting Mozilla in as the man in the middle to fail on us,
Mozilla does not run or provide any DoH servers and thus is not in the middle of anything.
Thanks for another ignorant BAReFO0t post.
But let's no stop, there's so many other horrendously stupid things you just said to pick apart:
and they claim it is "secure".
Indeed, can you show of an active exploit against the DoH protocol? Of course not because doing so would imply SSL is fundamentally broken.
But how full are they, if they believe they are more trustworthy
They don't, and they don't provide a DoH server. You're not trusting Mozilla in the slightest and your more than welcome to select any DoH server
RE: Durrrrrr (Score:2)
by putting Mozilla in as the man in the middle to fail on us,
Mozilla does not run or provide any DoH servers and thus is not in the middle of anything.
Thanks for another ignorant BAReFO0t post.
You're not one to talk about low quality posts, fuck an A.
They don't have to run a server to be in the middle when it is their application who is contacting the server in the first place. I mean. Dude.
No wonder Firefox is becoming irrelevant (Score:2)